Foundations for Threat Intelligence

Christoffer Strömblad Cyber Intelligence Analyst

When discussing threat intelligence, it’s very common to read about tactical, operational, and strategic intelligence. Unfortunately, it’s equally uncommon to read about basic, current, warning, and estimative intelligence, which could be argued to be equally important, if not more.

For the next few minutes, you’ll read about threat intelligence foundations. This article will provide you with a solid foundation upon which all threat intelligence is built and how threat intelligence contributes to strengthening your cybersecurity program.

Here are the types of intelligence that you’ll read about in this article:

  • Basic Intelligence – Foundational data and information collected to be used in other types of intelligence.
  • Current Intelligence – What’s happening right now that you should be aware of?
  • Warnings Intelligence – Imminent attacks or changing patterns of threat actors necessitating a response.
  • Estimative Intelligence – Predicting future developments.

Let’s begin with basic threat intelligence.

Basic Intelligence – Back to Basics

Basic threat intelligence covers your foundational understanding of your personal threat landscape, cyber defense posture, countermeasure effectiveness, etc. It’s all about the basics that underpin your cybersecurity efforts and priorities.

We could choose to categorize basic intelligence questions into an internal and external perspective.

  • Internal:
    • How many phishing attempts did your organization stop last month?
    • How many malware attacks were blocked by endpoint detection solutions?
    • How many malware attacks were discovered using network detection solutions?
    • What products and technologies are we exposing publicly on the Internet?
  • External:
    • How many phishing attacks attempt to harvest credentials?
    • How many malware attacks are related to information and credential stealers?
    • How is a hacked computer used by cybercriminals?
    • What is the current split across the most common initial access vectors?
    • What products and technologies have historically been targeted the most?

It’s the basics, but it can also cover the characteristics of these attacks. Were there particular themes used in the phishing attacks? Was a particular group of users targeted?

Truesec Incident response team (CSIRT) handle more than 32000 hours of incident response

Basic threat intelligence will underpin much of what you do in other types of intelligence products. Perhaps more importantly, it does not require that you buy a service or product. It’s data and information you already have access to.

Current Intelligence – What’s Happening Right Now?

(New Philago, FL) On Maycember 35 Vendor Blurgh Bits was attacked by Crummy Crackers stealing troves of data exposing a significant number of their customers in the process. Blurgh Bits regrets what happened and explains how incredibly advanced the attack was and how important cybersecurity is.

The attack leveraged a demo account which had full admin access and could extract all customer data. The demo account was enabled by default and never removed by Blurgh Bits.

This is not a real citation.

You read an article on BleepingComputer about a cyber attack on a particular vendor. Now you’ve got information and data, but you don’t have intelligence. Next, you ask a colleague, “Do we use this vendor?” He replies, “Why yes, as a matter of fact, we do.”

cybersecurity expert sitting infront of a computer monitoring IT environment
Keeping up to date on current events is a foundational activity in a threat intelligence capability.

You investigate to understand the relationship and impact of this attack, and now you’ve got intelligence. Through analysis and contextualization, the information has been made relevant for YOUR organization. This is ultimately what makes it intelligence. It’s current intelligence because it’s related to current events and things happening right now.

Working with current intelligence is often about keeping up-to-speed with developments happening here and now. While the immediate impact is always important, current threat intelligence can contribute to changes in strategic directives and requirements.

A common challenge in current threat intelligence is to balance speed with quality, two often opposing forces.

Warnings Intelligence – Prepare To Defend

The name does kind of give it away a little bit. Warnings intelligence is about… well, warnings – unfolding events that may negatively impact your operations and business.

Warnings stretch across the tactical, operational, and strategic horizons and are a very important component of a threat intelligence capability.

Tactical warnings intelligence usually covers things like vulnerabilities that threat actors exploit in the wild – vulnerabilities in products you use. Of course, warnings intelligence still needs to be relevant and contextualized for your organization.

Operational warnings intelligence could also cover things like new trends in threat actor targeting or modus operandi. Let’s assume that threat actors have begun hacking legitimate websites and hosting malware at a subdomain of the legitimate domain.

If your current defensive countermeasures rely on qualification and categorization of the top-level domains, your cyber defense will be significantly diminished. That’s… intelligence based on an operational warnings threat intelligence report.

Estimative Intelligence – Predicting the Future

The essence of estimative threat intelligence is to forecast and predict future outcomes as it relates to threat actors and your threat landscape.

Assume for a second that I could tell you that over the coming months, you’ll see significant increases in phishing attacks leveraging embedded QR codes, tricking employees into visiting the sites within the QR. Further, assume that this will increase the number of employees visiting malicious links by 10%.

Now, you’ve got a choice to make. Do you improve defense against QR-based phishing attacks, or do you choose to do nothing and rely on current defensive mechanisms? Doing nothing is absolutely fine if done with consideration and thought.

Please note how basic intelligence provides the foundation for properly responding to this. If you have around 200 phishing attacks each week, and now 10% of those will result in employees visiting these links, that would equal 20 attacks now reaching employees with a potential outcome of credential harvesting.

Are you ready to accept the risk? Do you feel confident in your current countermeasures?

Boosting Cybersecurity Through Threat Intelligence

Let’s face it; most organizations will never likely have the capability to provide this level of threat intelligence themselves. Some will, like the larger organizations, but most will not.

But with that said, it’s still incredibly important and should underpin any mature cybersecurity program. You need to be able to request these various types of intelligence outcomes, and you should know what to ask for.

Here’s what I want you to do next:

  • Begin with some of the basic questions like how many phishing attacks did your organization stop last month?
  • What’s the trend over the past 6 months?

Once you’ve answered those two basic questions, determine which of your countermeasures prevented your employees from being phished.

Feel free to reach out if you want to discuss how you can boost your cybersecurity program by leveraging threat intelligence capabilities. That’s something we know how to do reasonably well.